Anonymous attacks expose organisations to other risks

Recent attacks on the Government Communications and Information Systems (GCIS), and the South African Department of Water Affairs, are only the latest in hacking collective Anonymous' Operation Africa, a campaign that has set its sights on corrupt African governments.

A few weeks ago, Anonymous declared that the campaign is "an ongoing effort by several activists within anonymous who have begun collaborating, focusing on the disassembly of corporations and governments that enable and perpetuate corruption on the African continent".

However, the disruption that is caused by this sort of attack is only the tip of the iceberg. David Yates, Information Security Consultant at MWR Infosecurity, says there can also be a knock-on effect of this type of breach, because it exposes the organisation to additional attacks through the use of spear-phishing and other targeted social engineering techniques.

Moreover, he says because individuals are notorious for re-using credentials and personal information as identifyers across multiple sites, should one site be compromised, the rest could too. These could include online banking, loyalty programs, e-mail and social media accounts.

Mary Racter, Information Security Consultant at MWR Infosecurity, adds that in many cases, a threat actor doesn't achieve his nefarious ends in a linear way, but rather via easier, peripheral targets, such as third-party partners, or compromised individuals, and then uses that ‘foot in the door' to move laterally and compromise the valuable, target systems.

"This would explain why the Department of Water Affairs was exposed despite the impact of its breach being small when compared to, for example, the Parliamentary databases. It also means that these peripheral breaches should not be dismissed as irrelevant, as they could form part of the intermediate steps in a higher-impact system breach. In other words, the Department of Water Affairs could potentially be a stepping stone in another attack," she explains.

Yates adds that cyber criminals use a multitude of flaws and vulnerabilities in a business's Web applications, IT infrastructure, and people, to breach a network. He says, however, that there are precautions that public and private organisations can follow to secure their valuable information, irrespective of whether the attackers have financial or ideological motives.

Racter says while hacktivism can be viewed in a similar light to other, more physical forms of protest, and is sometimes exercised for the same broad array of political or ideological reasons, their motivation is not always so clear cut.

She says Anonymous is not a single, focused group of people, as any individual could choose to operate under the name 'Anonymous' at any time. The collective does not have a set mission statement or an identifiable list of members. "Although there may be informal leadership by consensus, members are not under obligation to follow it. Anonymous is also only loosely cohesive, so even if there is a group of people participating in a campaign at a specified point in time, the intentions of the group cannot be assumed to be uniform across participants."

This is why it is hard to pinpoint the motivation behind the attacks. She explains that information stolen during the commission of these attacks has a market value, and once in the possession of groups or individuals with no accountability, could be used for personal gain.

"Organisations can defend themselves from hacktivists by employing the same approach to security as for any other class of attacker. A robust security policy should include strategies for prevention, detection and response, the three phases in the security life-cycle, prevention, detection and response. Investment in all three phases is critical."

In terms of prevention, he advises businesses to perform security testing on Web applications to catch and fix flaws which could lead to data exposure, and to follow the principle of least privilege when deploying systems, ensuring that no-one has access to anything they do not strictly need to perform their role. "If a system does not need to be accessed outside of the internal network, it shouldn't be exposed on the Internet."

Speaking of detection, he says to involve active, skilled individuals. While automated anti-virus, intrusion detection and prevention systems can be effective tools, their logs should be scrutinised by people who can analyse the data to pinpoint any security events or anomalies.

Finally, in terms of response, should a company fall victim to an attack, he says it is important to assess the damage that has been done and ensure that the attack paths which led to the breach are closed as quickly as possible, so that a similar incident won't happen again. "If users' data is breached, it is important to inform them as soon as possible so that they can protect themselves by changing any reused passwords. The black market value of a data breach immediately falls when it is publicised."